All Things Microsoft > Microsoft as a Company
A Good Start at Eliminating Virus Attacks Against Your Computer.
KernelPanic:
Calum, we can always rely on you to 'set the score'
tratan:
It's sad how often new Linux users will do everything as root. It's not a *large* problem yet, and it's better than them using Windows, but if Windows starts failing than it'll become more of a problem.
What would be ideal I suppose is a way to easily run programs with limited privileges, such as restrictions on network access (stop worms), overwriting/deletion (but allow new file creation), and limits on CPU and disk-space usage. Otherwise, a user just downloads what he/she thinks is a benevolent program, runs it, and loses his data. Perhaps Root should be able to only let certain users run certain approved programs.
voidmain:
You can already do most of what you are asking. On RedHat if you look at the "/etc/security/limits.conf" file you can see how you can limit users in many ways. I'm sure this is part of all distros but not sure what config directory it would be in (do a "locate limits.conf"). Also for on a standard distribution install (it's called "ulimit"). Do a man "bash" and search for "ulimit". Also you can limit how much disk space a user can have with "quota".
Although I have not tried any of them I believe there are kernel security enhancement patches that will allow more control over who/what/when/where/how a user or program can access the network.
[ July 29, 2002: Message edited by: VoidMain ]
tratan:
*nod* I know that users can be limited in those ways (though I didn't know the name of the file, thank you Voidman ). The problem I see though is that users have full access to their private files, so anything they download and run will have full access to those files (unless they do something akin to sudo). Basically I was considering putting further restrictions on certain files, beyond the restrictions on the users that run the files. A model that could help I suppose is 2 accounts for every user, one with the user's full rights and a testing account that doesn't have access to the user's important files. It's just that it's hard to prevent the user from hurting themself. Unless they're only allowed to execute programs in /usr and /bin, they'll probably just keep downloading and running malware. Note that this is unlikely to compromise the security of the entire system (except for those fools who constantly use root), it's just that non-system files can be important, too.
voidmain:
Unlike Windows, there are several steps that a user must take to run a program (even it is only in his/her personal space). It takes coherent thought. If you trust the user enough to even use the system at all then the default limits put in place are more than enough in my opinion. If a user knows enough about how to download and run a program and they still get burned then it's their own damn fault.
In Windows however, it is not the user's fault in most cases because it is the design flaws of the operating system that allows such an easy mutilation of not only the user's personal area but the rest of the system in most cases.
If you want to put such heavy restrictions on the user then you should run them under a restricted shell (rbash). Do a "man bash" and search for "RESTRICTED SHELL".
Or see:
http://www.gnu.org/manual/bash-2.05a/html_node/bashref_75.html
With this you can set their path in such a way that they can not run executables except for specific directories that they do not have permission to write to. That includes denying them the ablility to run a command in a local directory with a "./" in front of it.
[ July 29, 2002: Message edited by: VoidMain ]
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version